Malware Analysis Report

2024-11-15 05:52

Sample ID 240723-a7mlwaxhla
Target AsyncClient.exe
SHA256 43138adeff58347b55fbb2d28d7ff2b5a240767ddbd15cb6c0e1f9e0bf72a2ec
Tags
rat default asyncrat spyware stealer dcrat evasion infostealer persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43138adeff58347b55fbb2d28d7ff2b5a240767ddbd15cb6c0e1f9e0bf72a2ec

Threat Level: Known bad

The file AsyncClient.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat spyware stealer dcrat evasion infostealer persistence trojan upx

Modifies WinLogon for persistence

Async RAT payload

AsyncRat

Asyncrat family

Process spawned unexpected child process

UAC bypass

Contains code to disable Windows Defender

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

UPX packed file

Reads user/profile data of web browsers

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 00:51

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 00:51

Reported

2024-07-23 00:53

Platform

win7-20240704-en

Max time kernel

118s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 saturday-surely.gl.at.ply.gg udp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp

Files

memory/2680-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/2680-1-0x00000000000E0000-0x00000000000F6000-memory.dmp

memory/2680-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9149.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2680-19-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/2680-20-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 00:51

Reported

2024-07-23 00:54

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\eddb19405b7ce1 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\", \"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\", \"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sppsvc.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hovtpw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hovtpw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\WindowsPowerShell\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Java\\jre-1.8\\lib\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiWorker = "\"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiWorker = "\"C:\\Program Files\\Windows Portable Devices\\TiWorker.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsPowerShell\22eafd247d37c3 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\24dbde2999530e C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\0a1fd5f707cd16 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Portable Devices\cd89ddd3d81b06 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\WindowsPowerShell\TextInputHost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\eddb19405b7ce1 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Photo Viewer\dwm.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Portable Devices\TiWorker.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\VideoLAN\VLC\5940a34987c991 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\eddb19405b7ce1 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\Registry.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\Windows Photo Viewer\6cb0b6c459d5d3 C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
File created C:\Program Files\VideoLAN\VLC\dllhost.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Getscreen.exe = "11001" C:\ProgramData\Getscreen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Getscreen.exe = "11001" C:\ProgramData\Getscreen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\hovtpw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Getscreen.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A
N/A N/A C:\ProgramData\Getscreen.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Users\Admin\AppData\Local\Temp\hovtpw.exe
PID 1856 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Users\Admin\AppData\Local\Temp\hovtpw.exe
PID 1856 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Users\Admin\AppData\Local\Temp\hovtpw.exe
PID 4396 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\hovtpw.exe C:\Windows\SysWOW64\WScript.exe
PID 4396 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\hovtpw.exe C:\Windows\SysWOW64\WScript.exe
PID 4396 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\hovtpw.exe C:\Windows\SysWOW64\WScript.exe
PID 2648 wrote to memory of 4492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 4492 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe
PID 1420 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 1420 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 4396 wrote to memory of 1832 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4396 wrote to memory of 1832 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4396 wrote to memory of 4316 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4396 wrote to memory of 4316 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1856 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 1832 wrote to memory of 400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 400 wrote to memory of 4584 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 4584 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 3648 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 3648 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4584 wrote to memory of 1336 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 4584 wrote to memory of 1336 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 1336 wrote to memory of 3528 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1336 wrote to memory of 3528 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1336 wrote to memory of 832 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1336 wrote to memory of 832 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3528 wrote to memory of 456 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 3528 wrote to memory of 456 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 456 wrote to memory of 4384 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 456 wrote to memory of 4384 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 456 wrote to memory of 1436 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 456 wrote to memory of 1436 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 4508 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 4384 wrote to memory of 4508 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 4508 wrote to memory of 4056 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4508 wrote to memory of 4056 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4508 wrote to memory of 2852 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4508 wrote to memory of 2852 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4056 wrote to memory of 2696 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 4056 wrote to memory of 2696 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 2696 wrote to memory of 2308 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 2308 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 5064 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 5064 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 2308 wrote to memory of 3104 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 2308 wrote to memory of 3104 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 3104 wrote to memory of 3824 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3104 wrote to memory of 3824 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3104 wrote to memory of 3532 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3104 wrote to memory of 3532 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 3824 wrote to memory of 1336 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 3824 wrote to memory of 1336 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 1336 wrote to memory of 1896 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1336 wrote to memory of 1896 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1336 wrote to memory of 448 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1336 wrote to memory of 448 N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 1896 wrote to memory of 536 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe
PID 1896 wrote to memory of 536 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Users\Admin\AppData\Local\Temp\hovtpw.exe

"C:\Users\Admin\AppData\Local\Temp\hovtpw.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\TiWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TiWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\TiWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\lib\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af6d6f1-f9ca-4dbf-a609-98d144ed2edc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a2c4dd2-3fec-41e6-b803-627c7f7bab31.vbs"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14e1f8dd-97cb-4f6a-9b71-deeb13a58c21.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d81f75b7-9b0b-4a0a-b900-a2c1a49e9b64.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc6687f-f2bc-43de-a6e1-04931072f044.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2bb39b-3027-4232-abf5-bcda0f046a58.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4461f3b3-6d28-4382-8003-1fcb2a86aca2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d3cac1-6002-42f5-8054-09b57ada8e59.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8932713-d21c-4794-8320-c78bcc57e234.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\590c719a-0822-4eaa-8462-4b9e480ce3d5.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd1382d-f99f-4f08-b4af-05652643d859.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50a437f6-7bf5-4c79-a2e7-4140a5b874ca.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5164f896-c7fd-4c21-989e-894822c92a23.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd549e5-a621-47fa-a15e-c1f4296a7b7e.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8672ee9d-a884-4a9d-9357-ab783d420963.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91da0304-79b1-4a4f-8b66-61296f12c575.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d20064b3-254e-4656-8dee-0533aac2bc27.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd7bae4f-2cbb-47c6-bc4b-18789a6598d4.vbs"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\5iu40kon.inf

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\mshta.exe

mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""C:\ProgramData\Getscreen.exe"":close")

C:\ProgramData\Getscreen.exe

"C:\ProgramData\Getscreen.exe"

C:\ProgramData\Getscreen.exe

"C:\ProgramData\Getscreen.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui

C:\Windows\SysWOW64\mshta.exe

mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")

C:\ProgramData\Getscreen.exe

"C:\ProgramData\Getscreen.exe" -elevate \\.\pipe\elevateGS512zgrdhgy

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'

C:\ProgramData\Getscreen.exe

"C:\ProgramData\Getscreen.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -child

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49516b22-2d31-4ca6-9ad0-fdaadfa4c08f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e8bfd6-524a-4da8-9b30-93de92ee23da.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b75fa26b-52f3-41d0-9c23-63aa48b10c28.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce276b3b-d015-42e9-b9b9-8cd94ca04a63.vbs"

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24efefe8-b486-4514-be8c-cf87eefd0ffe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbdc79a6-34c7-45d4-bf5b-1e085d93bdea.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 saturday-surely.gl.at.ply.gg udp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp
US 8.8.8.8:53 a1008986.xsph.ru udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 147.185.221.21:30089 saturday-surely.gl.at.ply.gg tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 signal.getscreen.me udp
DE 5.75.168.191:443 signal.getscreen.me tcp
US 8.8.8.8:53 191.168.75.5.in-addr.arpa udp
US 8.8.8.8:53 image.getscreen.me udp
DE 5.9.146.41:443 image.getscreen.me tcp
US 8.8.8.8:53 41.146.9.5.in-addr.arpa udp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
RU 141.8.192.103:80 a1008986.xsph.ru tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/1856-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/1856-1-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/1856-2-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1856-3-0x0000000004DB0000-0x0000000004E16000-memory.dmp

memory/1856-4-0x0000000005200000-0x000000000529C000-memory.dmp

memory/1856-5-0x0000000005A50000-0x0000000005FF4000-memory.dmp

memory/1856-6-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/1856-7-0x0000000005690000-0x000000000569A000-memory.dmp

memory/1856-10-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/1856-11-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1856-12-0x0000000006D00000-0x0000000006D76000-memory.dmp

memory/1856-13-0x0000000006C80000-0x0000000006CA2000-memory.dmp

memory/1856-14-0x0000000006D80000-0x0000000006D9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hovtpw.exe

MD5 9c49f8ab036331a19ab63f9aff82db38
SHA1 a27f11d48f1428b8efb5384f779f355271cc8877
SHA256 c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
SHA512 2a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd

C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe

MD5 2febca5513bbb1d2fb14b29bd4998314
SHA1 5fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256 d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA512 60a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c

C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat

MD5 6c77726beb17fe13c44cbc3312d1ca54
SHA1 919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256 e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA512 5089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4

C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe

MD5 f1ca585436d62720be1c8d7f24fb773f
SHA1 3687e578f150e45aa5194f9c485b221459f0f454
SHA256 dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA512 9e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc

memory/1420-35-0x0000000000FF0000-0x0000000001160000-memory.dmp

memory/1420-36-0x0000000003380000-0x000000000338E000-memory.dmp

memory/1420-37-0x000000001C2B0000-0x000000001C2CC000-memory.dmp

memory/1420-38-0x000000001C320000-0x000000001C370000-memory.dmp

memory/1420-39-0x0000000003390000-0x0000000003398000-memory.dmp

memory/1420-40-0x000000001C2D0000-0x000000001C2E6000-memory.dmp

memory/1420-41-0x000000001BD90000-0x000000001BD98000-memory.dmp

memory/1420-42-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

memory/1420-43-0x000000001C300000-0x000000001C310000-memory.dmp

memory/1420-44-0x000000001C310000-0x000000001C31A000-memory.dmp

memory/1420-45-0x000000001C370000-0x000000001C37C000-memory.dmp

memory/1420-46-0x000000001C380000-0x000000001C38A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8af6d6f1-f9ca-4dbf-a609-98d144ed2edc.vbs

MD5 9fb74fb2a458a36dd977241d404f0d5f
SHA1 e15eec37e08ce76baf459ba45ac70033c3df901f
SHA256 cc92109fe2998948cdcd6358227080911620eb7f41c9b9908b5d50aebd944fa4
SHA512 9d59dffc24311e669660b9edd1bcaaa0587d84481b47313f4cf305ec1261d349bfbdda62c86c8b637b2609111de5eaa92654046e3e0d9349d81e8ec1c29f4738

C:\Users\Admin\AppData\Local\Temp\7a2c4dd2-3fec-41e6-b803-627c7f7bab31.vbs

MD5 4d37681a2eb712b037c5cc13868962e8
SHA1 ad323cc1e1d325015fb48aa9c63c7e5222fc5f6f
SHA256 39f56be7b00f2ee167e012350e558b745f739480cd2f7db1cd4a6a78b5083a3f
SHA512 84b586789502a93122b2e07d1594bb74bb6f7291bad36c7bfa535ee594f88c7866b81322b35f4bca6bb6ab87a3a3f1938734040966c0b235d68fc082d2dae3f6

memory/1856-93-0x0000000006E00000-0x0000000006E42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\14e1f8dd-97cb-4f6a-9b71-deeb13a58c21.vbs

MD5 ae5c260e68a3780650820fcd3e8bc52f
SHA1 3aecac11f526f1872f89dc61f8c4248d8c3887b0
SHA256 77eed194856ca4695c8702f7ee8ce029afb0adbc652ff18eae124a61e1998664
SHA512 937efa488a1f05a7a0934f99279fda6da547b702ba304f79c703c515184a9cbb31ef411a2bfd88e8451901c65a2b0c069d8f6f08e751b7f7ea2d24ab5410c96c

C:\Users\Admin\AppData\Local\Temp\edc6687f-f2bc-43de-a6e1-04931072f044.vbs

MD5 c414c16115e3288089e737f508955387
SHA1 53409771eccf217df6a7d7fb00e33f9c9b592f6b
SHA256 bb86f2dd119a51a66b259235d01c5d6c51e35ceb83515ee5fefacaefda3d6667
SHA512 76e92959969c81c6a2d5b438c455a883d6a29dc7c06a0920ed7adba49d23721d929ea4530ec7c98c966d8f403b36a07d0971678d90303379cf80685f8120545e

memory/1856-118-0x00000000070F0000-0x0000000007112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4461f3b3-6d28-4382-8003-1fcb2a86aca2.vbs

MD5 38629e29206c5bdf7d9b9567d7459a90
SHA1 46134ec4257188bd18535fd4bead01a4dbec6c08
SHA256 8fce4c76eb42345474399f204898fbeaef46b2cc533a23ab441b3aa82313667c
SHA512 38ce0423f163283e8c3b2c52a1dcc5c47439250abc934adeee0b399f85c40e907db30025addbeb5edad95dd312b989e9adf69bcec25e7aa6208593cd1a406c05

C:\Users\Admin\AppData\Local\Temp\d8932713-d21c-4794-8320-c78bcc57e234.vbs

MD5 92789aad6190d52d7ded87a3c58a16e4
SHA1 3b90fb743351980de2dc4bfe9752bfa67305d09f
SHA256 31ad2ab974f4775e51158722783a78891a586d8f4d910364389770e7c69f2ab7
SHA512 de5bd20a29fdcbcce122adc4ce7a301c7c6b5fede46f0e9a52c4bfa48c5cb8669db51883edc8b97d76644ccdc94700d0f86beb37c2bc3aea1ac9e290c799cf40

C:\Users\Admin\AppData\Local\Temp\cbd1382d-f99f-4f08-b4af-05652643d859.vbs

MD5 5d8a59058b4cecdfb64ec67c2158db13
SHA1 ba24589181db54b47a88f2e4940d673853471367
SHA256 528f5cc8d31e776bb95e8d849f7af056a653b68903a492acc7831623d0cd88f0
SHA512 89f7c1428bffc2ee7f9c2373f766f8cab669a9972f717a2a89f7f24bd3477769e9366adaaa5ed8cabd5a1719c49896578532d5739ef281af7e6bd95c5976265b

C:\Users\Admin\AppData\Local\Temp\5164f896-c7fd-4c21-989e-894822c92a23.vbs

MD5 98af5a3d746dff3c8dce0380252fa5a7
SHA1 972a2e87984aaeea068aac45c1a22c5c24b0803d
SHA256 61bc139e5091860ca5eb5c3dc1782de042ee72b3b9ef7313d24822222215c6e0
SHA512 6e670e109774421b2e15164ebc3d50ddc0c9737aee90b16b630dca85365171a6b4ef324343084c3e2063e98a734a11b7448f89296977dedfd88d4a4d28936fa1

C:\Users\Admin\AppData\Local\Temp\d20064b3-254e-4656-8dee-0533aac2bc27.vbs

MD5 7f11ffeefc2a9f84848222f606948290
SHA1 3b7fd74cbb705e1ee3e4638bef096afb9082c7a0
SHA256 c4f68d0c1c7000e9cc7f6745f1b39f0ab7ebb391662e6cdce147bbfc1f2a285b
SHA512 19c3e51dcaf0f0d16d3ba328fbc4cec1aacdfefa520f91046d8e503156f196c2282ed5428b5b122c21df4df9679425ac076fc13a1a75dfcc582f16f53176def3

memory/1856-185-0x00000000084D0000-0x00000000089C6000-memory.dmp

C:\Windows\temp\5iu40kon.inf

MD5 5f43e657d0898672ad25bc085ad29725
SHA1 0438646f3c8e8243da282614b54f85741d720f27
SHA256 d2ff9bf64b5a303063b4246b31bbc82a0f9e6b01d8456ebcdbd399f694118a2a
SHA512 902bf5c2adabf1d1b6b97c1aa8bc54326248aa4ed64a033cfec82552d68b25e6a4384793fa01026ed892934fbb947ada59eec700f7bbc77fa98cc0bcb6da04b7

memory/1856-189-0x00000000027D0000-0x00000000027F4000-memory.dmp

C:\ProgramData\Getscreen.exe

MD5 c062dc70bff732dc20a897cebb008b87
SHA1 74c0adcc331615fd53dedb96d0ca31c797dc2378
SHA256 26ef17585f22d4c7c9862106dca31e3a5a0d95c129cb720ef03d62f9c3657a50
SHA512 7f4d7f20c90cf99c3a29d5ca631fa07ee54cc2ca7d9669756ec0e18fe07291504c2b5172d417ace64897768fef4f2fca09d40475cd750eeee05e126bc886ef72

memory/3660-194-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

C:\ProgramData\Getscreen.me\logs\20240723.log

MD5 530162f3e32bcbcb92237f56ff91097b
SHA1 9667059650d2c2e16b7b35349e0fa19055a352e5
SHA256 bd9dc84a2a873be71ae236480d6ff89767a85e4a1b1eafa688623202ce83e206
SHA512 2d5d899272e9001143881c1d1390e17d3e62dce2e51c1f878b3bb7f1510ba1dc041b135172708c04086d6553ce758719553086129ca1688441507acef7a5edb7

memory/1536-196-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

C:\ProgramData\Getscreen.me\logs\20240723.log

MD5 f63d0a0a9f4593a053bca2931b116c62
SHA1 2191443c5ef656ce5ee7372f8ed38d631539d1bb
SHA256 e49010424338daa07747ad0994e97e1f2291594dd4c7d3cf687d710f75e145ad
SHA512 67c55973b25de6628512d07341cc1c2398075a8f0b5bc88744872a7d32a2c1e22284803a74734a7f655561fc87bc1f39df9aa410bcc12b669cdf056927a17896

memory/744-205-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

memory/744-204-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

memory/4800-206-0x0000000002E80000-0x0000000002EB6000-memory.dmp

memory/4800-207-0x00000000058A0000-0x0000000005EC8000-memory.dmp

memory/4800-209-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/4800-208-0x0000000005F00000-0x0000000005F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqdjcp2x.o00.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\Getscreen.me\logs\20240723.log

MD5 7dabd40835be155860832729cbb2c5ad
SHA1 48891fc071d3d8ca95724cf6f6109007db2afbd6
SHA256 ea6de481a6a2e748dbd62e4dd2b4e49808d57b5ca8b0f6bd50a57d559ede0dc6
SHA512 ade93922b7a09731e1452f0d04b6a7c6aa83d2d1c48c4383db36b0d519e192ee6388b0473acb03ebccdfae66be1545e028fa8c67f0f4e03fbec0859b71169edf

C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96Getscreen0me

MD5 4b1b4e345cc5f2c368f3ac861ef9cf78
SHA1 59a6c0a73cb6e95ab5ff8575cb5777ee7945dd0c
SHA256 ae8286341fde8f581c76ee67718d602efcc5d94de663d2054f9dca1a6195e987
SHA512 2dd27dc84c14f7d88bee7494900a68149d6d7de1db768d92e6fc69263646f0e7a22dddb36aadb35d4176fa284b16d293356a0403e87b758e13b859a6368edc0d

memory/4800-220-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/4800-223-0x0000000006770000-0x000000000678E000-memory.dmp

memory/4800-224-0x00000000067B0000-0x00000000067FC000-memory.dmp

memory/4800-232-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

memory/4800-231-0x0000000006C70000-0x0000000006C8A000-memory.dmp

memory/4800-230-0x0000000007750000-0x00000000077E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49516b22-2d31-4ca6-9ad0-fdaadfa4c08f.vbs

MD5 180c21b48e78014e95fb7d9806e0bca7
SHA1 f5ab0214081fb27894dd10c182c3ef3c716a0888
SHA256 1748bb0642b70641ca37903ccad50580999d37c4efe0dffa72644ffb20a563fc
SHA512 4001abd8f3d5d7a1b82e89ad1fb41afc08de10b021e827afa95597d1d9d162d0125a5782126499394b2164232ebb46d665c7a97e6a87fc694dbcbcbe2e815c38

memory/1516-248-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

memory/3660-249-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

memory/1536-250-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b75fa26b-52f3-41d0-9c23-63aa48b10c28.vbs

MD5 ca4edc37211c68e51c2cc8ebaa3f86a9
SHA1 e8e9a0576d3836bd4aa7ebaa89fbd5d6960021c6
SHA256 4b09a39ee1b3fdc6008e60aadea4e75c9f98e2898046bf68f319ca680233a0ed
SHA512 a97e1aafdd9e74035d993f99923b938d4673affff2fb43e3d89536daab915149fddf4e1a071dd22e2ad688e0bce59f65a6c7654151ef335c463fea53821e7cb8

memory/3660-263-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

memory/1536-264-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24efefe8-b486-4514-be8c-cf87eefd0ffe.vbs

MD5 eb0d08ae238c70e8faf1792e31b3e0f0
SHA1 923e20cb4e32e2aa6038174f9c28a9003280ac23
SHA256 a0cebbb097a2bd7809209f15828282e3d6060fe545e4938fdd91172c05d32302
SHA512 bba932907bc87b68381407c1ea8fb979a45195d8cb2a87bf9b70243f25bb2c8b79b8a473f443bfd3f91492fb6e8e85261e6626834a25c7d037f5e9da6aaca6d3

memory/3660-275-0x00007FF7AF380000-0x00007FF7B0F8A000-memory.dmp